phishing sites report - March/2005

Gadi_Evron · March 28, 2005, 5:25pm

Below is a periodic public report from the Malicious Websites and
Phishing research and mitigation mailing list (a sub-group of the drone
armies / botnets research and mitigation mailing list).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources.

According to our incomplete analysis of information we have thus far, we
now publish the following report.

Notes on the report:
* The report is in descending order.
* In the listing are also included suspected child pornography sites,
however, their numbers are not large enough to effect the statistics.

Number of phishing sites found: 276.

The ISP's that are most often plagued with phishing sites:

Dan_Golding · March 28, 2005, 7:09pm

Forgive me for being skeptical, but...

How do you come up with these? Are these the direct upstream ISPs of the
phishing sites or the next hop AS's from your test site?

Is there a link to the original data?

- Dan

Gadi_Evron · March 28, 2005, 7:19pm

Daniel Golding wrote:

Forgive me for being skeptical, but...

I would prefer you being skeptical. Please don't take my word on any of this.

How do you come up with these? Are these the direct upstream ISPs of the

These are the digested results from the reports sent to the malicious websites and phishing research and mitigation list.

phishing sites or the next hop AS's from your test site?

Plainly put, these are the results you get when you feed the IP's of the hosting web sites to the Cymru whois.

Is there a link to the original data?

Nope. We hope to release more data in our next reports. Please let us know what kind of data you'd like available. We'll do our best to provide it.

One of our main goals is public awareness, so we are very interested in feedback.
If you have further questions on the process itself, I'd gladly direct you to the guy who actually does the data mining and statistics - but the list data itself is not open to the public.

Gadi.

Dan_Golding · March 28, 2005, 8:20pm

Gadi,

This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?

I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.

Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?

Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.

- Dan

Gadi_Evron1 · March 28, 2005, 8:55pm

Daniel Golding wrote:

Gadi,

This report isn't terribly useful without the IP addresses (or URLs) in
question. How could an ISP start investigating and/or null routing these
addresses without having the list?

I suppose I'm skeptical because some of those ASNs are not big content
hosters. Some are transit-only ASN's.

Also, if you are using WHOIS to check the IP addresses for their owner, how
are you correlating to ASN? Through an IRR? Or is there a route lookup
somewhere in the mix?

Even if you won't release full data (although I can't imagine why not), you
need to fully disclose the methodology. "Digested" is insufficient when ISPs
and hosters are being called out by name.

To answer all your above welcomed questions...
We will release the data we can, sorry.

That said -
We are looking for ways to release the actual IP's (phishing web pages) information in a sort of a blacklisting service. Currently the data is mixed with suspected CP sites and that's a no-no for release.
There are steps to take, and you are right - that's one of them, and perhaps even more important than we currently believe.
As to the usefulness of this particular report, it is about showing the problem, not killing sites.

As to "proving" to the ISP's -
Each of the respected service providers can contact us and get the information directly, and then make up their own minds.

As to the exact methodology used, I'll have to refuse to divulge that information publicly at this time. You don't have to believe the data. You can believe in some of the public names associated with this work.

Statistics may be a "blown out of proportions" word here, as all we do in this particular case is count.

And sorry, we'll keep calling these service providers by name, and "put our money where our mouth is" when they ping us back, like we did with The Planet, PNAP, KrCERT and others on our botnets C&C report. Also, we give credit where credit is due to service providers who show they are serious.

Keep in mind, although we won't go for "amateur" work, this is volunteer work.

Gadi.

Gadi_Evron · March 29, 2005, 1:12pm

We provided Daniel with all the information he requested in private, and even learned a thing or two. Others are always welcome to contact us.

Gadi.

Dan_Golding · March 29, 2005, 8:16pm

And I appreciate Gadi's efforts. I hope they will soon be willing to make
this methodology public, as their work continues. And to take down some
phishing sites of course

- Dan